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Key Points 

♦ There is widespread agreement in 
the public and private sectors that 
U.S. educational institutions are un- 
able to meet the growing demand 
for cyber workforce professionals. 

♦ It is difficult to measure the true 
size and requirements for the cyber 
workforce due to the lack of com- 
monly agreed upon cyber workforce 
job titles and duty descriptions. 

♦ The Federal Government should 
develop additional methods for 
streamlining the hiring and con- 
tracting of essential cyber talent 
and emphasize the recruitment 
of cyber workforce professionals 
with demonstrated competency. 

♦ Federal, state, and local govern- 
ments must compete with the pri- 
vate sector, academia, and interna- 
tional actors to recruit and hire top 
cyber workforce professionals. 

♦ Innovative solutions should be 
increasingly used to get students 
engaged in science, technology, 
engineering, mathematics, and 
cyber studies in order to develop 
skills in secondary and postsecond- 
ary students and to recruit them for 
government service later in life. 



I n 2008, the Comprehensive National Cybersecurity Initiative listed “expanded 
cyber education” as one of its key recommendations. In 2009, the Partnership 
for Public Service produced a report stating that the current pipeline of cyber- 
security workers into the government was inadequate. 1 In the same year, Secretary of 
Defense Robert Gates stated that the military was “desperately short of people who 
have the capabilities [to operate in cyberspace].” 2 And in 2011, the Inspector Gen- 
eral of the Federal Bureau of Investigation reported that 35 percent of the special 
agents investigating national security cyber-intrusion cases lacked necessary training 
and technical skills. 3 Nonetheless, the U.S. Government and private sector still seek 
to increase their online operations and dependency in spite of these shortcomings. 
An expert at the Atlantic Council of the United States sums up this problem: “cy- 
ber workforce management efforts resemble a Ferris wheel: the wheel turns on and 
on . . .we move, but around and around, never forward.” 4 

This paper addresses methods to close the gaps between demand and the 
current existing capabilities and capacity in the U.S. cyber workforce. A large 
number of professionals — with not only technical skills, but also an under- 
standing of cyber policy, law, and other disciplines — will be needed to ensure 
the continued success of the U.S. economy, government, and society in the 
21 st -century information age. Innovative methods have been developed by the 
government, think tanks, and private sector for closing these gaps, but more 
needs to be done. This paper is part of a larger discussion about the future of 
the U.S. cyber workforce and existing and new concepts that must be expanded 
to ensure continued success. 

The cyber revolution, part of the broader information revolution first defined 
in 1984, now touches virtually everyone and most aspects of life — 80 percent of 
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American adults, for example, now use the Internet, as 
well as over 2 billion people worldwide. 5 The future of 
the U.S. cyber workforce must consider this great para- 
digm shift. Increasingly, we encounter “cyber” in our ev- 
eryday lives: newspapers are online, automobiles contain 
computerized systems, critical infrastructures such as 
water, electricity, and communications are networked. 
Nearly every facet of life has been digitized. Cyber ap- 
plications impact Federal, state, local, and tribal govern- 
ments, and businesses depend on cyber-literate employ- 
ees. Therefore, this paper addresses the need to increase 
and improve cyber education in the United States while 
also assessing the centrality of cyber literacy to all levels 
of education and American society. 



according to Congressman Jim 
Langevin, "growth in demand 
continues to far outnumber the 
personnel capable of protecting 
our networks" 



Solutions to the cyber workforce problem are out- 
lined below. The first section of this paper discusses the 
scope of the problem. The next section covers the para- 
digm shift in some detail: how existing educational and 
training pipelines, as well as new ways of thinking and 
recruiting, are needed. The third section discusses issues 
particular to state, local, and tribal governments. The fi- 
nal section deals with cyber education at the secondary 
and postsecondary levels. Finally, a series of initial rec- 
ommendations are presented. 

Scope of the Problem: 

Existing Pipelines 

Within government, industry, and academia, it 
is universally acknowledged that the cyber workforce 
needs to be expanded. The 2009 White House Cyber- 
space Policy Review emphasized both expanding and 
training the workforce and improving cyber education 



in order to build greater domestic capacity in the digital 
age. The Center for Strategic and International Studies 
Commission on Cybersecurity for the 44 th Presidency 
lists building an expanded workforce as one of its 10 
key recommendations and released a November 2010 
report entitled A Human Capital Crisis in Cybersecurity. 
U.S. Strategic Command has identified the Department 
of Defense (DOD) cyber workforce as undersized and 
unprepared to meet current and future expected threats. 6 
According to Congressman Jim Langevin (D-RI), co- 
chair of the Congressional Cybersecurity Caucus, the 
“growth in demand continues to far outnumber the per- 
sonnel capable of protecting our networks.” 7 

The University System of Maryland (USM) Cyber 
Security Task Force lists “expanding the pipeline for cy- 
ber careers” as an actionable recommendation in its 2011 
report. 8 Clearly, awareness exists that the current cyber 
workforce is inadequate. 

Before discussing the growth of the cyber workforce, 
we must develop and agree upon a clearer definition as 
to who is a member of the cyber workforce. Currently, 
no specific occupational series identifies Federal cyber- 
security positions. In fact, the Government Accountabil- 
ity Office (GAO) lists 17 different occupational series 
commonly used to label such workers, and this does not 
even include the uniformed military. 9 As a result, Fed- 
eral agencies often release highly conflicting information 
when asked about the size of their cybersecurity work- 
force: DOD reported 66,000 cybersecurity full-time 
equivalents (FTEs) in the Office of Management and 
Budget fiscal year 2010 Federal Information Security 
Management Act (FISMA) report; 87,846 FTEs in a 
2010 agency FISMA report; 88,159 in a 2011 GAO data 
call; and 18,955 in a 2010 Office of Personnel Manage- 
ment (OPM) study. 10 DOD, Department of Homeland 
Security (DHS), and other Federal agencies have taken 
steps to define the roles and responsibilities of the gov- 
ernment’s cyber workforce, but there is no current and 
universally agreed upon framework. 

Even as the current cyber workforce must grow 
quantitatively and qualitatively, the gap between 
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requirements and capacity will no doubt continue to 
increase exponentially. Within DOD, nearly every 
combat, logistical, and administrative capability is now 
digitized and relies on global networks, millions of lines 
of computer code, and a staff of highly trained informa- 
tion technology (IT) professionals to keep them run- 
ning and secure. Unmanned aerial systems (UAS) are 
emblematic of this trend. A UAS is essentially a flying 
platform composed of varying computerized capabili- 
ties, controlled remotely via computer, and usually com- 
municates with a wide range of networked intelligence 
systems throughout the globe. 

As the government’s cyber workforce requirements 
grow, it must also compete with the private sector, both 
at home and abroad, where demand and incentives (sal- 
ary, benefits) for talented individuals are highly com- 
petitive. Recent years have seen high-profile network 
intrusions across different commercial sectors, includ- 
ing defense (Lockheed Martin), social media and email 
(Facebook and Google), finance (Royal Bank of Scot- 
land), IT security (RSA) and entertainment (Sony). To 
protect and expand their online presence and automat- 
ed operations, firms not traditionally associated with IT 
are investing significant resources in their own cyber 
workforces, further dampening the global competition 
for cybersecurity professionals. Smaller firms, nonprof- 
its, and any organization with an online presence are 
forced to make significant cybersecurity investments 
due to cyber criminals on the lookout for easy prey. 

In the near term, attracting talented individuals 
to expand the cyber workforce will need to be done in 
an environment of budget austerity. Regardless of the 
end result of the Federal budget debate, spending will 
likely be cut across most, if not all, agencies. State and 
local governments and industry are also facing simi- 
lar difficulties due to the negative fiscal climate and 
slow economy. In Congress and on the election trail, 
there are also influential voices that advocate push- 
ing more responsibilities (and the responsibility for 
their funding) back on state and local jurisdictions. 
This should further drive awareness that the push for 



a more robust cyber workforce will take place in an 
environment of limited resources, stiff competition, 
and growing demands. 

While there is a debate on how much the overall 
U.S. cyber workforce must grow, there is wide agreement 
that — in the face of this growing demand and upcoming 
retirements — it must grow in both quantity and quality. 
Due to ageing trends, growth of the overall U.S. workforce 
is expected to decline from 1.2 percent to 0.8 percent from 
2006-2016, and the fastest-growing segment of the work- 
force is age 55 and older, a segment of the population that 
tends to be less proficient with technology. In addition, 
4-year degrees conferred in computer and information sci- 
ences peaked in 2004, and have dropped 30 percent since 
then. 11 However, other computer-related disciplines and 
educational/certificate programs have been reported to be 
on the rise, such as those associated with the computer 
gaming industry and others that require a great deal of 
familiarity with computer skills. This makes it difficult to 
judge the true size of the potential pool of people from 
which to recruit cybersecurity professionals. 

U.S. cyber capabilities and competitiveness strongly 
underpin the Nations economic vitality and technological 
advantage, which in turn underwrite national security and 
enable the American high standard of living. The United 
States has been at the forefront of past technological revo- 
lutions — industrial, nuclear, space — and a failure to stay 
at the forefront of the cyber (or information) age could 
be a serious threat to the American way of life. Despite 
the growing dependence on cyber and related capabilities, 
the U.S. scientific and technological base is struggling, and 
without serious action, there are concerns that it might not 
be able to sustain a competitive advantage. 

Paradigm Shift: Existing Pipelines 
and New Ways of Hiring 

It is clear to cyber experts and observers inside and 
outside government that many of the terms of the dis- 
cussion, assumptions, and conventional wisdom need to 
be updated or discarded altogether. This paradigm shift 
requires acknowledgment that cyber is now central to 
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our way of life. Similar to the advent of automobiles and 
personal computers, the current cyber (or information) 
revolution puts a versatile device in our hands, pockets, 
and on our person 24/7. Smart-phones and other ad- 
vanced computing devices increase productivity in our 
personal lives, in commerce, and in terms of national se- 
curity, but these powerful devices also come with signifi- 
cant vulnerabilities. To enable Americans to succeed in 
cyberspace while simultaneously protecting them in cy- 
berspace, Americans will have to be educated and trained 
to use these devices effectively and safely at a younger 
age, even if they are not going into a cyber field of study 
or occupation. Americans will encounter cyberspace 
throughout their everyday lives. Similar to learning to 
drive and learning to read and write, understanding how 
to operate safely in cyberspace must be recognized as a 
new core skill for living in the 21 st century. 



applicants should demonstrate 
competency prior to being hired, 
and this competency should not 
be assumed solely on degrees 
previously awarded 



The concept of what constitutes cyber must also 
be enlarged from a purely technological notion. There 
is more to cyber than hardware and software. Com- 
puters were created by humans to be used as tools by 
humans and are fixed, developed, protected and main- 
tained by humans. Investing in people is on a par with, 
if not more important than, the hardware and software 
involved. Similarly, while science, technology, engi- 
neering, and mathematics (STEM) are the founda- 
tion of cyber and other technologies, they are not the 
only pertinent fields. Although computers date back 
to World War II, it was innovations in the design and 
conceptualization of computer technology and an en- 
trepreneurial spirit that brought personal computers 
into the mainstream and many households. In today’s 



environment, cyber capabilities require legal and pol- 
icy expertise in order to sift through the development 
of international norms, rules of engagement, and con- 
flicting statutory authorities, as well as analytical ca- 
pabilities to identify adversary threats and patterns of 
behavior. So while the foundation of cyber is STEM, 
a better understanding and effective use of computers 
require a truly multidisciplinary approach and a strong 
investment in human capital. 

This paradigm shift also requires a new way of 
thinking about hiring and recruiting intellectual capi- 
tal. Currently, the basis for hiring in most government 
and many private sector positions is the applicant’s level 
of education. Many jobs have minimum educational 
requirements, and a new employee’s salary and level of 
entry are determined by several factors, education chief 
among them. While a bachelor’s degree is generally re- 
quired for IT positions, a snapshot of these positions’job 
descriptions and duties and responsibilities reveals that 
a 4-year degree (and the types of knowledge, skills, and 
abilities [KSA] entailed) may be useful for a position, 
but should certainly not be a prerequisite. In fact, those 
KSAs can be equally obtained through a combination 
of technical schools, community colleges, and on-the-job 
training and experience. 

Applicants should demonstrate competency prior to 
being hired, and this competency should not be assumed 
solely on degrees previously awarded. Job descriptions 
and position requirements must be updated to reflect 
more accurately those KSAs required to perform the job 
and not only academic credentials or the traditional re- 
quirements. This simple change could greatly enlarge the 
pool of qualified applicants for cyber-related positions. 

While competency tests may require more time 
and cost than an average interview, the institution of 
such tests would confer several benefits. Government 
IT departments would instantly know the ability levels 
of new staff and could adjust training accordingly — and 
could fast-track the most promising candidates to take 
advantage of their capabilities immediately. Potential 
applicants could hone their skills, knowing roughly 
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what the test requires of them. The difficulty of en- 
trance tests could also be modified based on workforce 
requirements and the shape of the job market. This 
market-driven process could work similarly to the mili- 
tary recruiting model. 

The most prominent pipelines in place to produce 
information assurance (IA) professionals for the Fed- 
eral Government workforce are the National Science 
Foundation’s Scholarship for Service (SFS) and DOD 
Information Assurance Scholarship Program (IASP). 
The SFS recruits U.S. citizens in IA education tracks 
at the undergraduate and graduate levels with scholar- 
ships, which are repaid through service to the Federal 
Government. The IASP has two tracks: a recruitment 
program to bring new talent into DOD, and a reten- 
tion program aimed at existing DOD employees seek- 
ing to bolster their academic credentials. As scholar- 
ship programs, they represent a small percentage of 
Federal agency IA requirements. From 2001 to 2008, 
1,001 students received IA scholarships through these 
programs, and 93 percent subsequently found em- 
ployment with the Federal Government. From 2011 
to 2013, the Federal Government is expected to hire 
roughly 8,000 new IA professionals. 12 Clearly, these 
programs will only address a small fraction of the gov- 
ernment’s IA workforce requirements and not solve 
the personnel demands at state and local levels, as well 
as industry. 

Scholarships are expensive solutions, however, and 
other pipelines are in the process of being built. In 
2011, the Defense Advanced Research Projects Agency 
(DARPA) began Cyber Fast Track, a project designed 
to award small, short-term contracts to boutique firms 
and individuals with cyber skills sets needed for the 
DARPA mission. In the project’s research announce- 
ment, it notes the strategic mission and seeks solutions 
to long-term strategic problems such as reducing at- 
tack surfaces and vulnerabilities in cyberspace to create 
greater cost to the adversary. 13 As of December 2011, 
13 contracts have been awarded, some of which were 
of a duration of only 14 weeks and some to firms with 



as few as five people. 14 Cyber Fast Track has so far suc- 
cessfully bridged the gap between the hacker commu- 
nity and the Federal Government. Similar small and 
agile concepts, with the potential for bigger payoffs 
and without the financial or time outlays required by 
scholarship programs, are solutions that Federal agen- 
cies might consider. 

A change in our thinking from the cyber domain as 
purely technological to a domain with a significant human 
aspect entails the recognition that one of the critical ele- 
ments of cybersecurity is people — not only a cadre of well- 
trained individuals ready to respond to security breaches, 
but also end-users aware of the risks and responsibilities 
of using government networks. The fact that individuals 
are generally considered the greatest cybersecurity vulner- 
ability is another reason why investing in people is just as 
important as investing in hardware and software and may 
yield a higher return on investment. 

Need for a Common 
Framework and Lexicon 
across Federal Agencies 

Since cybersecurity is a relatively new field, there 
is no common lexicon or framework for understanding 
and defining cyber workforce job descriptions. A com- 
mon lexicon is necessary to assess the true state of the 
cyber workforce and to model its proper growth. When 
positions and career paths linking these together are bet- 
ter codified, not only will it become easier to retain tal- 
ent, but the scope of the workforce problem will become 
clearer as well. 

Such a framework was proposed by the National Ini- 
tiative for Cybersecurity Education (NICE) in 2011. 15 
The stated aim of the NICE Cybersecurity Workforce 
Framework is to “put forth a working taxonomy and 
common lexicon that can be overlaid onto any organiza- 
tion’s existing occupational structure. ’’The NICE frame- 
work organizes positions within the cyber workforce into 
seven high-level categories under which it groups work- 
ers who share major job functions (testing and evalua- 
tion, systems administration, and so forth) and finally 
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Table 1. NICE Cybersecurity Workforce Framework 



High-level Categories 


Sample Positions 


Securely provision: Designing and building 
secure IT systems 


Software engineer, risk/vulnerability ana- 
lyst, application security tester 


Operate and maintain: Providing support, 
administration, and maintenance 


LAN administrator, technical support special- 
ist, database developer, IA security officer 


Protect and defend: Identifying, analyzing, 
and mitigating threats 


Blue Team technician, security analyst, net- 
work technician, reverse engineer 


Investigate: Investigating cyber events or 
crimes involving IT 


Computer network defense forensic analyst, 
computer crime investigator 


Operate and collect: Collecting information 
used to develop intelligence 


Military and intelligence operations 


Analyze: Evaluating cyber information to 
determine intelligence usefulness 


Cyber threat analyst 


Support: Education and training, policy, 
legal support for cyber 


Legal advisor, information security trainer, 
information security policy manager 



lists sample positions beneath each. The major categories 
and sample positions are shown in table 1. 

Some overlap does exist between certain categories. 
Immediate incident response, for example, falls under 
both protect and defend as well as the investigate cat- 
egories, and network system design, construction, and 
maintenance all require systems security analysts since 
networks must be tested both upon launch and con- 
tinuously throughout their lifespans to ensure viability. 
NICE recognizes that the existing framework is a work 
in progress and seeks to refine it through input from aca- 
demia, business, and nonprofit organizations. Cyber is a 
growing field and new positions and fields can be add- 
ed to the framework as technological change alters the 
landscape of various cyber disciplines. NICE encourages 
feedback regarding the usefulness of the framework and 
any inadequacies or suggested improvements. 

Cybersecurity at the State, Local, 
and Tribal Levels 

There are several important reasons why state and 
local jurisdictions are on the frontlines of cybersecurity. 



For one, state and local governments closely interact 
with their residents and industry in many ways the Fed- 
eral Government does not. They maintain many databas- 
es containing personally identifiable information (PII), 
operate e-governance initiatives, and work closely with 
industry, including companies responsible for critical 
infrastructure — all of which affect the day-to-day lives 
of their residents. Due to budget constraints, cybersecu- 
rity competes for funding with other state and local pri- 
orities, thereby exposing critical infrastructure, residents’ 
PII, and other essential services to vulnerabilities. State 
and local employees who maintain and protect these in- 
formation systems are an important, though generally 
overlooked part of the national cyber workforce. Thus, 
state and local cyber workforces must not be ignored be- 
cause of their considerable cybersecurity responsibilities 
and potential vulnerabilities, and because they are “first 
responder” assets that can be leveraged in a time of crisis. 

What are the potential financial costs of inaction? 
The 2006 theft of hardware from the home of a De- 
partment of Veterans Affairs (VA) employee exposed 
the PII of 26.5 million veterans and approximately 2 
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million Active-duty and Reserve military personnel. 
As a result, VA spent $7 million to notify affected per- 
sonnel of the data breach, $100 million to offer 1 year 
of free credit reporting to affected individuals, and 
also faced a class-action lawsuit from five veterans’ 
groups. 16 The data breach occurred despite repeated 
warnings from both the GAO and the VA’s Inspector 
General that VA information security management 
procedures were inadequate. 

While the VA example deals with a Federal agency, 
states have also been in the news for inadequate IT security. 
An audit conducted by Colorado’s Office of Cyber- Security 
found that PII was easily compromised during a red team 
penetration test. Colorado estimates a $39.5 million budget 
shortfall for adequate protection of the state’s information 
systems. 17 The Office of the State Comptroller of New Jer- 
sey found that state agencies had failed to remove PII prior 
to placing surplus equipment up for auction. 18 In 2010, the 
National Association of State Chief Information Security 
Officers noted that 79 percent of states saw IT budgets cut 
or remaining stagnant in the face of rising threats. 19 

One of the primary challenges facing state and lo- 
cal governments is their inability to attract and retain 
competent individuals. All states, except Vermont, have 
a legal requirement to balance their budgets. States were 
hit particularly hard by the 2008 financial crisis, and 
Federal funding to assist states with budget shortfalls, 
enacted as part of the 2009 Recovery Act, has expired. 
Although state finances are improving as the economy 
begins to recover, states will continue to face histori- 
cally large shortfalls in the coming years. 20 As a result, 
states that were once able to attract cyber talent with 
generous benefits packages are no longer able because 
of fiscal realities. Impending across-the-board budget 
cuts will affect not only recruitment, but also the reten- 
tion of skilled employees. Recent trends indicate that 
states currently only spend about 2 percent of their IT 
budget on security, even though the accepted industry 
standard is about 5 percent. 

Some states are also geographically disadvantaged. 
Top-level talent often receives offers from the private 



sector and a wide array of Federal agencies. Individu- 
als with low-density, high-demand skill sets generally 
choose to pursue top-dollar employment options in 
Silicon Valley and large metropolitan areas rather than 
geographically remote areas. As stated, state, local, and 
tribal governments have difficulty competing with sal- 
aries and benefits packages offered by the private sec- 
tor and Federal Government, especially in the current 
fiscal climate. 



states that were once able to attract 
cyber talent with generous benefits 
packages are no longer able because 
of fiscal realities 



State and local agencies face tough choices. Some 
answers to these choices already exist in the form of 
Federal measures, such as the National Institute of 
Standards and Technology SP 800-55 and the DHS 
Risk Management Process. Despite budgetary chal- 
lenges, state and local authorities may be best served by 
following Federal Government initiatives and industry 
best practices by viewing security holistically and not 
only as an issue of the security of in-house networks. 
Contractors and third parties that service and connect 
to government networks must also be part of any so- 
lution. What is needed is a comprehensive framework 
that can be modified depending on the budgetary out- 
look for a given fiscal year and the current threat en- 
vironment. Any new framework must not simply be a 
“check-the-box” bureaucratic exercise, but must be agile 
and fully evaluate the risks. 21 

Stronger Cyber Education: 

Not Only a "Pipeline" But Also 
an "Ecosystem" 

Any discussion of cyber education needs to take 
place at two levels. The first deals with the “pipe- 
line” — that is, the direct channels that will ensure a 
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trained workforce for U.S. society in the future. The 
second deals with the “ecosystem” — that is, general cy- 
ber education at all levels of schooling that will result 
in a productive, high-tech workforce for an increas- 
ingly cyber-dependent United States. It was this sec- 
ond level the Comprehensive National Cybersecurity 
Initiative addressed when it stated that “It will take 
a national strategy, similar to the effort to upgrade 
math and science education in the 1950s, to meet 
this challenge.” 



many high school students 
seeking to enter STEM fields are 
unprepared for the scientific and 
highly technical course 
material they encounter 
as freshmen 



The demand for professionals with cyber compe- 
tencies has begun to be addressed by universities. The 
National Security Agency (NSA) and DHS jointly 
sponsor the National Centers of Academic Excellence 
in Information Assurance Education (CAE/IAE), 
CAE-Research, and community college programs. As 
of April 2012, these designations have been applied 
to 145 colleges and universities in the 50 states and 
Puerto Rico. 22 One outcome of this designation has 
been a proliferation in quality accredited IA and cy- 
bersecurity bachelor’s and master’s programs nation- 
wide. Students who attend CAE-designated programs 
are eligible for scholarships and grants through DOD 
and DHS and upon graduation are immediately ready 
to enter the workforce for large employers such as 
the NSA. 

The CAE program is expanding in 2012 with a 
new designation. The CAE-Cyber Operations program 
is intended to be technical and interdisciplinary, firmly 
grounded in computer engineering, sciences, and elec- 
trical engineering, with extensive hands-on application 



in laboratories. Expansion likely indicates that the NSA 
and DHS consider the initial CAE program to be a sig- 
nificant success. 

However, distribution of these programs is uneven: 
of the 145 higher education institutions receiving CAE 
designation, only 13 are community colleges with “CAE 
2-year” designations, and 5 of those are located in the 
state of Maryland alone. Community colleges often act 
as trade schools, offering associate’s degree programs 
narrowly focused on a trade, such as paralegal or nursing 
degrees. California, with only seven schools designated 
as CAE/IAE, has 5 percent of the designated schools, 
but represents 12 percent of the U.S. population. In fact, 
the majority of universities considered among the best 
computer science programs nationwide have not pur- 
sued the designation, including the California Institute 
of Technology, Massachusetts Institute of Technology, 
University of Texas at Austin, University of Wisconsin at 
Madison, and Cornell University to name a few. Why are 
some of the best STEM schools in the country not ap- 
plying for CAE designation? More comprehensive study 
may be required to determine if the degree programs at 
these universities involve superior models that should be 
imitated more widely. 

Outside of Federal-level initiatives involving higher 
education, some state education systems have chosen to 
emphasize cybersecurity at the university level. Previously, 
Maryland (home to the NSA, U.S. Cyber Command, Na- 
tional Institute for Standards and Technology, Defense 
Information Systems Agency, and many other Federal 
agencies and high-tech private-sector firms, such as Lock- 
heed Martin) was mentioned as possessing nearly half of 
all community colleges in the United States that have re- 
ceived CAE 2-year designations. Maryland also has 13 
postsecondary institutions bearing CAE designations, 
more than any other state. This emphasis has been part of 
a concerted effort of forward-looking individuals: Univer- 
sity System of Maryland Chancellor Dr. William Kirwin 
convened a task force in November 2010 with representa- 
tives from Federal and state government and Maryland 
universities to examine how the state should approach 
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cybersecurity. This Cyber Security Task Force is charged 
with identifying degree requirements for careers in cy- 
bersecurity and building USM’s related capacity. 23 These 
initiatives fall under a broader state plan as Maryland has 
been identified and emphasized as “CyberMaryland” by 
Governor Martin OMalley due to its importance for the 
Federal Government and “hub” status for industry. Since 
the task force’s launch, the number of CAE-designated 
institutions has grown from 4 to 13. The emphasis placed 
by state-level offices in Maryland on cybersecurity educa- 
tion could serve as a model for other states. 

Broadly speaking, the United States faces a serious 
challenge in educating the future STEM workforce. A 
multiyear study conducted by the University of Califor- 
nia at Los Angeles concluded that STEM graduates take 
longer to complete their degrees and are more likely to 
drop out than those in non- STEM fields. 24 Among the 
causes are that teaching quality in STEM disciplines of- 
ten suffers as faculty prioritizes research that contributes 
to tenure track and grant funding in many institutions. 
In addition, the lack of mentorship and research oppor- 
tunities for undergraduates also discourages many. Proper 
preparation is also cited as a problem: many high school 
students seeking to enter STEM fields are unprepared for 
the scientific and highly technical course material they en- 
counter as freshmen. At the high school level, a shortage 
of qualified teachers means that students are not exposed 
to programming or computer science, which means that 
by the time they reach the undergraduate level, many have 
already chosen a course of study and mapped out their de- 
gree path (and cyber is not part of it). 

Cyber is a wider discipline than simply the STEM 
fields, and professionals with backgrounds ranging from the 
social sciences to business and the arts will be needed in 
the cyber workforce of the future. Nonetheless, the Federal 
Government must consider measures to improve STEM 
education and work to increase the number of future engi- 
neers and mathematicians who matriculate since these and 
other STEM areas are the foundational fields of cyber. 

At the high school and college levels, there are 
two ways to prepare students for future employment 



as part of the cyber workforce. Students can either fo- 
cus on cyber-related disciplines as part of their core 
coursework or focus on cyber-related studies as elec- 
tives or extracurricular activities. One example of a 
program that confers college-level classroom experi- 
ence on high school students is the Alamo Academies 
in San Antonio. Meanwhile, the U.S. Cyber Challenge 
competition assesses the cyber aptitude of high school 
students, college students, and young adults through a 
series of tournaments. Both programs have resulted in 
direct employment of graduating seniors in IT posi- 
tions in government and with defense contractors. 



Alamo Academies is unique in its 
level of partnership with industry, 
local government, public school 
systems, and community colleges 



As a successful example of “preparing the pipeline,” 
it is important to examine the role of industry in driving 
the initial creation of the Alamo Academies. Following 
the closure of Kelly Air Force Base in 1997, Lockheed 
Martin and Boeing accepted a large logistics contract 
and hired a third of the former installation’s workforce to 
execute it. Aware that a large segment of their workforce 
would begin retiring in the next 10 years, these compa- 
nies began consulting with nearby San Antonio Com- 
munity College about how well its curriculum matched 
their entry-level workforce requirements. Stemming 
from those discussions, and initial successes, a program 
was instituted with the Aerospace Academy in 2001. To- 
day, 220 high school juniors and 168 high school seniors 
are enrolled in the Alamo Academies program. 

The Alamo Academies consists of programs at five 
San Antonio and Bexar County schools: San Antonio, 
St. Philip’s, Palo Alto, Northeast Lakeview, and North- 
west Vista. All five offer associate’s degree programs 
and certificates and licensure in occupational programs 
that prepare students for jobs in the local and regional 
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Table 2. Selected U.S. Cyber Competitions 



Competition 


Audience 


What It Does 


Web Links 


Cyber Security 
Treasure Hunt 


High school students, 
college students, and 
adults who want 
to prove they have 
basic mastery of IT 
security 


Like a scavenger 
hunt, the game deliv- 
ers an online quiz 
that sends candi- 
dates to a simulated 
environment where 
they can safely 
explore and find an- 
swers to questions. 


http://securitytrea- 

surehunt.com/ 


Cyber Foundations 
High School 
Competition 


High school students 


Students receive basic 
instruction in three 
modules: networking, 
operating systems, 
and system adminis- 
tration, and then are 
quizzed on knowl- 
edge of the systems. 


https://www.cyber- 

foundations.org/ 


Cyber Patriot High 
School Defense 
Competition 


High school students 


Students must 
harden systems to 
block attacks and are 
scored on their suc- 
cess in keeping the 
attackers out. 


www.uscyberpatriot. 

org/Pages/default. 

aspx 


U.S. Cyber Challenge 
Summer Camps 


College students and 
some high school 
students, depending 
on location 


Week-long "boot 
camps" focusing on 
intensive instruction 
on penetration test- 
ing, reverse engi- 
neering, and foren- 
sics, all culminating 
in competitions. 


https://www.nbise. 

org/uscc/camps/ 


DC3 Digital Forensics 
Challenge 


Separate challenges 
for high school stu- 
dents, college stu- 
dents, and adults 
to demonstrate 
forensics skills 


Provides a disk image 
of data taken from 
actual cases investi- 
gated and asks four 
levels of questions; 

the fourth level 
includes questions 
even DC3 has been 
unable to answer. 


www.dc3.mil/chal- 

lenge/2011/ 
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Table 2. cont. 



National Collegiate 
Cyber Defense 
Competition 


College students 


Students compete in 
a simulation where 
they manage a small 
business IT system 
and protect against 
attacks. 


www.nationalccdc. 
org / 


SANS NetWars 


Talented high school 
students, college stu- 
dents, and adults 


Students work in a 
real-world, online 
laboratory attempting 
to capture and hold 
territory in cyberspace 
while hundreds of 
others attempt to do 
the same. 


www.sans.org/cyber- 

ranges/netwars/ 



economy. All courses are fully transferable to colleges 
and universities across the United States. The objective 
of the Alamo Academies is to accelerate the learning of 
future cyber workforce members. The program allows 
high school juniors and seniors to complete college- 
credit coursework on local campuses where they take ap- 
proximately half of their classes at their high school and 
the remainder at the community college. Students study 
in one of four degree programs: aerospace academy, IT 
security academy, manufacturing academy, or the health 
professional academy. 

While other programs similar to the Alamo Acad- 
emies exist around the United States, few exist at the 
high school level, and it is unique in its level of part- 
nership with industry, local government, public school 
systems, and community colleges. High school juniors 
and seniors must pass college assessment tests in order to 
enter the program. Students have the flexibility to study 
at the Alamo Academies in the morning or evening de- 
pending on their schedules. These students are also given 
a chance to practice what they learn on the job via paid 
summer internships with locally based defense contrac- 
tors and other major corporations, including Lockheed 
Martin, Boeing, Toyota, ITM, Kinetic Concepts, Cox 



Manufacturing, AT&T, and SWBC. Class sizes are lim- 
ited because technical courses cannot have more than a 
12-to-l student/teacher ratio, and the program size is 
determined by the number of internships offered by local 
businesses in a given year. 

Equally important are the financial details of the 
program. Students’ tuition and fees are waived and trans- 
portation to the Alamo Academies and textbooks are 
provided by local school districts. Bus fleets are reim- 
bursed by the state of Texas through support to technol- 
ogy initiatives, and community colleges receive funding 
via taxes and state education funds that allow them to 
waive tuition and fees for high school students. School 
districts receive funding based on how many students at- 
tend each school, and as the Alamo Academies’s students 
spend half of their day at their home high schools, the 
school districts’ funding is unaffected. 

The U.S. Cyber Challenge is composed of several 
components targeting students of various skill levels and 
in different venues. The lowest rung operated by U.S. 
Cyber Challenge is Security Treasure Hunt, an online 
environment that assesses student skills in different in- 
formation security areas, including Web vulnerability 
assessment, digital forensics, cryptographic analysis, and 
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penetration testing. 25 U.S. Cyber Challenge is open to 
the public with the stated objective of identifying indi- 
viduals with promising skills in information assurance. 

Part of the Treasure Hunt, Cyber Quests, attracted 
800 participants from 400 different schools. The 200 win- 
ners (all high school and postsecondary students) were of- 
fered slots in weeklong summer cyber camps, held at vari- 
ous colleges and universities around the United States. The 
camps are designed as “cyber boot camps” where attendees 
gain in-depth knowledge of penetration testing, forensics, 
and reverse engineering from university-level faculty. Win- 
ners of the end-of-camp “capture the flag” tournament 
were offered $1,000 scholarships by (ISC) 2 , a well-known 
educator and industry credentialing authority. 26 



both the pipeline and ecosystem 
need to be improved to increase 
the size of the cyber workforce and 
better prepare the United States for 
future security challenges 



Another program, Cyber Patriot, began in 2008 as a 
national high school cyber defense competition organized 
by the Air Force Association (AFA). Initial competitions 
were held in 2009 with over 200 teams participating. Simi- 
lar to the formation of the Alamo Academies, a partnership 
between industry and academic institutions played a promi- 
nent role in the launch of Cyber Patriot. Along with AFA, 
defense contractor SAIC and the Center for Infrastructure 
Assurance and Security (CIAS) at the University of Texas 
at San Antonio worked together to stand up Cyber Patriot. 
In addition, Northrop Grumman committed the funding 
for Cyber Patriot to operate nationwide. The 2011 competi- 
tion features 2,500 teams from all U.S. states. 

The National Collegiate Cyber Defense Competition 
(NCCDC) is another university-level event that provides 
more of a “regular season” for college teams rather than lim- 
ited “tournament” play. First launched in 2005 by CIAS — 
also a Cyber Patriot sponsor — the NCCDC that began in 



April 2011 featured 9 regional finalists from more than 100 
teams nationwide. The NCCDC also includes participation 
from the private sector, including Deloitte LLP (the 2011 
tide sponsor), as well as Microsoft, McAfee, SAIC, Boeing, 
Northrop Grumman, Red Lambda, and Zynga. 27 

The DOD Cyber Crime Center Digital Forensics 
Challenge dates back to 2006. It is an individual competi- 
tion where competing teams gauge their success based on 
the number of possible points achieved in each challenge. 
The focus is on uncovering digital evidence from a network 
breach. Open to international competitors, the 2010 Grand 
Champion was a team from South Korea. Prizes are also 
awarded to the best teams from several different categories, 
including U.S. Government, military, civilian, graduate, un- 
dergraduate, community college, and high school. 28 

NetWars is sponsored by the SANS Institute, an 
industry-credentialing authority and educator, and is 
aimed at all skill levels. During this competition, all 
players begin on the same footing, but only profession- 
als with at least 10 years of experience are expected to 
perform at the top level. SANS also conducts NetWars 
Continuous, which is a similar challenge, but during a 
4-month league rather than tournament format. 29 

Whom should these competitions target? According 
to the director of the U.S. Cyber Challenge, these compe- 
titions should aim to attract students in non- STEM fields. 
Many of these students have skills, but due to misconcep- 
tions about “technology,” they are reluctant to participate. 
Nevertheless, after joining, many of these students have 
found success in Cyber Challenge and other competitions. 
In fact, marketing, communications, arts, and business ma- 
jors, all of whom are disproportionately underrepresented 
in cyber and STEM fields, have done quite well in various 
cyber competitions over the years. 

Concluding Thoughts 

Both the pipeline and ecosystem need to be im- 
proved to increase the size of the cyber workforce and 
better prepare the United States for future security chal- 
lenges. Should current trends hold in the future, cyber 
will be even more interwoven into the fabric of every- 
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day life in the United States. Outside of STEM, a more 
thorough dialogue is necessary about cyber education at 
the secondary level. Not only should this education be 
about how to use computers, but how to navigate and 
operate safely in cyberspace in order to best take advan- 
tage of it. The concept of the “cyber playground” has been 
raised as an analogy. How do you teach children to play 
safely on the playground in the absence of adults? Un- 
derstanding the dangers inherent in Internet use is not 
widely held, and education at lower levels is rudimentary, 
merely focusing on using computers. Eventually, greater 
understanding of cyberspace and its dangers will need to 
be integrated into curricula at the secondary level. And at 
home, if awareness of these technologies and their dan- 
gers is not present in the minds of the young, network 
security as a whole is likely to continue to suffer in the 
future because of poor end-user practices and habits. 

Integrating cyber education at a low level into prima- 
ry and secondary school curricula may have added benefits 
as well. The introduction of computers and the Internet at 
a young age may lead to more individuals pursuing cyber 
and STEM-related coursework in elementary through 
high school. This would likely increase the size and inter- 
est of cyber and STEM students in postsecondary edu- 
cational institutions, thus ensuring a strong ecosystem to 
supply the pipeline into the U.S. cyber workforce. 

Recommendations 

Federal Government hiring rules and authorities 
for cyber workforce professionals: There exists a need to 
explore alternative hiring authorities for cyber profes- 
sionals, including education-based, skills-based, and ex- 
perience-based processes. Recommend forming a DHS/ 
DOD/OPM task force to examine core workforce issues 
and provide short-, mid-, and long-term human capital 
strategies for government departments and agencies. 

Federal Government career path and progressions for 
cyber workforce professionals: There is presently no for- 
mal career path for government employees in the field 
of cybersecurity. A large percentage of cybersecurity 
has been outsourced to the private sector. Recommend 



OPM consider creating a government career series, clas- 
sification standards, and promotion path for a new cy- 
bersecurity career series. 



integrating cyber education at a low 
level into primary and secondary 
school curricula may have 
added benefits 



A career path should also be formalized for our cy- 
ber senior leaders, which would focus on not only tech- 
nical competence, but also organizational management 
and decisionmaking regarding complex cyber issues. This 
senior leader career path should also require cross-orga- 
nizational or “joint” training and development as cyber 
decisionmakers would greatly benefit from experiences 
in DOD, DHS, the private sector, and other cyber-relat- 
ed organizations. 

State and local government issues for cyber workforce 
professionals: State, local, and tribal governments are 
facing enormous fiscal pressures and have not invested 
or cut back their investment in cybersecurity related ac- 
tivities. This has disincentivized the local workforce from 
pursuing this career field. Recommend the Congress 
consider legislative incentives (matching funds) for in- 
vestment in cybersecurity. Also, recommend the Federal 
Government seek standardization of cybersecurity work- 
force positions with state, local, and tribal governments 
and explore methods for easier transfer of cybersecurity 
professionals among the different levels of government 
and with select private sector partners. 

Streamlined security clearance process: Many cy- 
bersecurity positions require some form of security 
clearance. The current vetting for security clearances 
is cumbersome and time consuming and potentially 
disincentivizes many to apply for positions requiring 
a clearance. This applies to potential government em- 
ployees and civilian partners where classified informa- 
tion-sharing is critical. For example, DOD relies on the 
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Global Transportation Network both to protect power 
and for sustainment. Nearly 85 percent of this network 
is owned by the private sector. The United States must 
be able to share information with these critical private 
sector partners to help protect this critical capability. 
Recommend that specific guidelines and processes be 
developed for potential employees (both government 
and private sector) in the cybersecurity workforce. The 
goal is to accelerate the process and empower select pri- 
vate sector partners with critical information without 
compromising standards. 

Congressional advocacy: As of May 2012, there 
were several major cybersecurity bills pending in Con- 
gress. Each represents a significant step forward in the 
recognition of the criticality of the cybersecurity issue. 
It might be useful if Congress would consider desig- 
nating the cyber workforce issue for the U.S. Govern- 
ment and U.S. society as a whole to specific oversight 
committee(s) that would be responsible for introduc- 
ing appropriate legislation and monitoring progress 
on this issue. 

Public-private solutions for enhancing the cyber 
workforce pipeline: The private sector has recognized the 
potential shortfalls in the future cyber workforce and has 
made modest strides toward developing their own future 
workforce. Recommend OPM and the Department of 
Education consider building off of these private sector 
initiatives and develop or facilitate development of simi- 
lar intern/scholarship programs. 

Broader educational initiatives to emphasize and 
improve STEM education and cyber-related competen- 
cies (such as legal, policy, and intelligence analysis): There 
are a number of well intended but disconnected STEM 
initiatives under way in the government and private 
sector. Recommend that the executive branch consider 
making this a national priority included in a national 
“Competitiveness Strategy.” 

National strategic communication campaign to em- 
phasize the importance of cyber and STEM education: 
STEM education is one of the key building blocks for 
U.S. competitive advantage in the cyber domain and 



many other fields. Recommend the executive branch, 
Department of Education, and Congress consider cre- 
ating incentives via funding, grants, prioritization, and 
public recognition for students, educators, public offi- 
cials, and professionals to place a renewed emphasis on 
STEM education as a necessity for sustaining U.S. pros- 
perity and global leadership. 
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